OWasp GraphQL Cheat Sheet Flashcards
Real time AJAX security evaluation for learners based on content at https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet
Common Attacks
What types of injection attacks are common?
SQL/NoSQL injection, OS command injection, SSRF, CRLF injection, and request smuggling.
Common Attacks
What is an IDOR attack?
It’s abuse of broken authorization, granting improper or excessive access.
Common Attacks
What are GraphQL-specific attacks?
Batching attacks and abuse of insecure default configurations.
Input Validation
How does strict input validation help?
It prevents injection and DoS attacks by ensuring user input is safe before it’s used in HTTP requests, database queries, or other calls.
Input Validation
What should incoming data be validated against?
A strict allow-list of valid values, avoiding deny-lists.
Input Validation
How should invalid inputs be handled?
Gracefully reject them without revealing excessive information about API validation.
Injection Prevention
What tools should be used to handle input meant for other interpreters (e.g., SQL, OS)?
Libraries offering safe APIs like parameterized statements or ORM/ODM tools, used correctly.
Injection Prevention
What should be done if tools aren’t available?
Escape/encode input data using actively maintained libraries.
DoS Prevention
What measures can limit GraphQL DoS attacks?
Depth and amount limiting for queries.
Adding pagination to responses.
Enforcing timeouts at the application or infrastructure level.
Implementing query cost analysis.
DoS Prevention
What is the purpose of rate limiting?
To prevent a single user from spamming requests and degrading service performance.
DoS Prevention
How can server-side batching and caching help?
It prevents duplicate data requests within a short time frame, improving efficiency.
Query Limiting (Depth & Amount)
Why should query depth and amount be limited in GraphQL?
Unlimited depth or amounts can overwhelm the server, leading to DoS vulnerabilities.
Query Limiting (Depth & Amount)
How can query limiting be implemented in GraphQL?
Using tools like graphql-depth-limit for JavaScript or MaxQueryDepthInstrumentation for Java.
Timeouts
How do application-level timeouts help prevent DoS?
They limit the resources a single request can consume, stopping excessive queries mid-process.
Timeouts
Why are infrastructure timeouts less effective?
They can be bypassed more easily and may activate too late.
Rate Limiting
How can rate limiting be enforced?
Per IP or user basis, using a WAF, API gateway, or web server configuration like Nginx.
Server-Side Practices
Why should resources like CPU and memory be limited for APIs?
To prevent excessive resource consumption that could lead to DoS attacks.
Server-Side Practices
How can resource limits be enforced on Linux?
Use Control Groups (cgroups), User Limits (ulimits), and Linux Containers (LXC).
Access Control
How can a GraphQL API ensure proper access control?
Validate the requester’s authorization to view or modify data using mechanisms like RBAC.
Access Control
What issues are prevented by enforcing access control?
IDOR issues, including Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).
Access Control
Why should authorization checks be enforced on both edges and nodes?
To ensure all parts of the GraphQL schema are protected, preventing unauthorized access.
Access Control
How can structured data types improve access control?
Use Interfaces and Unions to return object properties based on requester permissions.
Access Control
What tools can be used to perform access control validation in resolvers?
Query and Mutation Resolvers, potentially integrated with RBAC middleware.
Access Control
What should be disabled in production environments?
Introspection queries, GraphiQL, and other schema exploration tools.
General Data Access
What mistake leads to Broken Object Level Authentication (IDOR)?
Assuming possession of an object’s ID means the caller has access to that object without proper verification.
General Data Access
How can accidental access via node or nodes fields in GraphQL be prevented?
Check the schema for these fields and remove them if unintended, while applying authorization checks.
Query Access (Data Fetching)
How can access to specific data fields be restricted?
Add checks to validate that the requester is authorized to fetch specific fields.
Mutation Access (Data Manipulation)
Why is mutation access control important?
It ensures only authorized requesters can modify data or specific fields within the API.
Mutation Access (Data Manipulation)
When is mutation access control especially necessary?
For APIs where only read access is intended or where modification rights are limited to specific parties.
Batching Attacks
What is a batching attack in GraphQL?
A brute force attack that exploits GraphQL’s ability to batch multiple queries or object requests in a single network call, making exploits faster and less detectable.
Batching Attacks
How does batching enable enumeration?
Callers can request multiple objects (e.g., droids) in one request, enabling object enumeration with fewer network calls compared to REST APIs.
Batching Attacks
What are potential issues caused by batching attacks?
Application-level DoS from excessive queries or requests.
Enumeration of sensitive objects (users, emails, IDs).
Brute-forcing passwords, OTPs, tokens, or other sensitive data.
Bypassing rate limits and security tools like WAFs or IDS/IPS.
Mitigating Batching Attacks
What are the main strategies to mitigate batching attacks?
Add object request rate limiting in code.
Prevent batching for sensitive objects.
Limit the number of queries that can run in one batch.
Mitigating Batching Attacks
How can rate limiting help against batching attacks?
By tracking the number of object requests from a caller and blocking excessive requests, even within a single network call.
Mitigating Batching Attacks
Why disable batching for sensitive objects?
To force attackers to make individual network calls, enabling standard controls like rate limiting to function effectively.
Mitigating Batching Attacks
What is the purpose of limiting query operations in batching?
To reduce the risk of excessive queries and enhance overall security.
Secure Configurations
What should GraphQL APIs in production avoid returning?
Excessive error messages, such as stack traces, and they should not be in debug mode.
Secure Configurations
How can excessive errors be disabled in Apollo Server?
Pass debug: false to the Apollo Server constructor or set the NODE_ENV variable to ‘production’ or ‘test.’
Introspection and GraphiQL
Why should introspection and GraphiQL be disabled or restricted?
By default, these features allow consumers to learn details about your API, including schemas, mutations, and even private fields.
Introspection and GraphiQL
When might disabling introspection be appropriate?
For internal APIs or when unauthorized users should not access API details.
Introspection and GraphiQL
How can introspection be disabled in Java?
Use NoIntrospectionGraphqlFieldVisibility in the GraphQLSchema configuration.
Introspection and GraphiQL
How can introspection and GraphiQL be disabled in JavaScript?
Use middleware with validation rules like NoIntrospection and disable GraphiQL in production.
Mis-Typed Fields
Why disable field name suggestion if introspection is disabled?
It decreases exposure by preventing attackers from guessing field names.
Tools
What is InQL Scanner?
A security scanner for GraphQL that can generate queries and mutations automatically from a given schema and feed them to the scanner.
Tools
What is GraphiQL?
A tool for schema and object exploration in GraphQL environments.
Tools
What is GraphQL Voyager?
Another tool for schema and object exploration, providing a visual overview of GraphQL schemas.
